Bug 726993 (ralgh)

Summary: SELinux is preventing NetworkManager from using the sys_module capability
Product: [Fedora] Fedora Reporter: ralgh <bugs2rl>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: awilliam, dcbw, dwalsh, satellitgo
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-02 06:25:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Fedora 13 SELinux Bugreport none

Description ralgh 2011-07-31 20:45:51 UTC
Created attachment 516037 [details]
Fedora 13 SELinux Bugreport

SELinux is preventing /usr/sbin/NetworkManager from using the sys_module capability.

*****  Plugin sys_module (99.5 confidence) suggests  *************************

If you do not believe that /usr/sbin/NetworkManager should be attempting to modify the kernel by loading a kernel module.
Then a process might be attempting to hack into your system.
Do
contact your security administrator and report this issue.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that NetworkManager should have the sys_module capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Quellkontext                  system_u:system_r:NetworkManager_t:s0
Zielkontext                   system_u:system_r:NetworkManager_t:s0
Zielobjekte                   Unknown [ capability ]
Quelle                        NetworkManager
Quellpfad                     /usr/sbin/NetworkManager
Port                          <Unbekannt>
Host                          (removed)
RPM-Pakete der Quelle         NetworkManager-0.8.4-1.fc13
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.7.19-101.fc13
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Rechnername                   (removed)
Plattform                     Linux localhost.localdomain 2.6.34.9-69.fc13.i686
                              #1 SMP Tue May 3 09:20:30 UTC 2011 i686 i686
Anzahl der Alarme             9
Zuerst gesehen                So 31 Jul 2011 18:41:51 CEST
Zuletzt gesehen               So 31 Jul 2011 22:33:29 CEST
Lokale ID                     db525607-8994-4892-8a18-a861f2b87a5e

Raw-Audit-Meldungen
type=AVC msg=audit(1312144409.74:40): avc:  denied  { sys_module } for  pid=1237 comm="NetworkManager" capability=16  scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability


type=SYSCALL msg=audit(1312144409.74:40): arch=i386 syscall=ioctl success=no exit=ENODEV a0=12 a1=8915 a2=bf91a54c a3=bf91a54c items=0 ppid=1 pid=1237 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=NetworkManager exe=/usr/sbin/NetworkManager subj=system_u:system_r:NetworkManager_t:s0 key=(null)

Hash: NetworkManager,NetworkManager_t,NetworkManager_t,capability,sys_module

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t self:capability sys_module;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t self:capability sys_module;

Comment 1 ralgh 2011-07-31 20:47:41 UTC
This is my first bugreport

Comment 2 Dan Williams 2011-08-01 21:36:17 UTC
Dan; this may have gotten fixed; no idea.  If this permission is what I think it is, NM does attempt to insmod a few things like ppp_generic and a bunch of iptables modules used for NAT.

Comment 3 Miroslav Grepl 2011-08-02 06:25:09 UTC
We have this fixed in the next releases of Fedora. Also F13 is not longer supported. Could update to a newer version of Fedora?

You can dontaudit it using

# grep NetworkManager /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

Comment 4 ralgh 2011-08-06 20:58:15 UTC
Thank you for commenting. Now i also installed Fedora 15 and the connection worked fine until the NetworkManager broke down. I'm using a GPRS/Edge/3G USB modem (ppp0). But like i wrote: This is my first bugreport, so don't waste your time thinking about my problems, i was only trying to learn how to write a bugreport first, thinking that maybe it could be of interest.

Comment 5 ralgh 2011-08-08 12:19:06 UTC
----------------------------
(In reply to comment #3)
> We have this fixed in the next releases of Fedora. Also F13 is not longer
> supported. Could update to a newer version of Fedora?
> 

I did now, but i had some problems with F15 (i had to install it twice, after working quite fine at first (Gnome3) the NetworkManager broke down (USB HSDPA mobile connection)), now updated to "release 17 (Rawhide)"), my updated F13 seems to be more stable

> You can dontaudit it using
> 
> # grep NetworkManager /var/log/audit/audit.log | audit2allow -D -M mypol
> # semodule -i mypol.pp 

What's 'dontaudit'? 
----------------------------

Comment 6 ralgh 2011-08-08 12:23:28 UTC
----------------------------
Now i have another problem: PackageKit is not working anymore 

("Distro version: Fedora release 17 (Rawhide)
PackageKit version:   0.6.17
PackageKit Process Information:
root   1899  0.0  0.5  29548  5344 ?  Sl  12:02 0:00 /usr/libexec/packagekitd)"):

Error message: "RepoError: database disk image is malformed" 
----------------------------

Comment 7 Daniel Walsh 2011-08-08 14:11:26 UTC
Ralgh, please use 

Community support for Fedora users <users.org>

For these questions, they should not be in bugzilla, unless they are real bugs.

Comment 8 ralgh 2011-08-09 12:52:35 UTC
(In reply to comment #7)

> Ralgh, please use 
> Community support for Fedora users <users.org>
> For these questions, they should not be in bugzilla, unless they are real bugs.

Thank you, Daniel, 
i didn't realize that. 
But users.org is a mail address, 
not an address of a recommended bug report page! 
Anyway, i think you meant me to go to 
https://admin.fedoraproject.org/mailman/listinfo/users instead of. 
Yet to my opinion the pages https://bugzilla.redhat.com 
are far more helpful. 
r. :-|